Split the Repos

2018-09-21 12:45:50 +02:00
commit 64f10d16d9
158 changed files with 58752 additions and 0 deletions
--- a/dev-python/cryptography/Manifest
+++ b/dev-python/cryptography/Manifest
@@ -0,0 +1,6 @@
+AUX CVE-2018-10903.patch 3641 BLAKE2B a426705cfcbc9ba4e3ffd662610b7a27c7afe52dff71d1c7248c03524369faa763196eb018b7ea94b8ac87cc5cb5dd5bf172f5cdedadb54be62dbe4e0819ed82 SHA512 94c56586ae1649b29959d855235af8e84bc9dd927b412e0e0a62cb47bb52580a919bacefe4be6d0b75318be05afccb950dbff3d7f6ec1cb44c111a4bbc2e6a99
+AUX cryptography-1.7.1-libressl251.patch 948 BLAKE2B cfb192c89d714093f366a75245911de165a3cab7062737df7b949a928927a5b6f0000b9fa7efa416798c62c803b406b14d2888afef87f8e63759fd3ff74c8da9 SHA512 5660bd82498ec2bd17ad4dcbd8d3ffd8a2a1364dc5584736e4cff278bbeb4644138336385fa2bc16261fe4712481c6cffba227aaa09c841df3081709f8ec7187
+AUX cryptography-2.1.4-libressl-2.7-x509.patch 1005 BLAKE2B 9c01fe0f9c3c8c598388db68f68470b953b4a8e79dba8c1d3c6ce56486a93f340101a58db8771fa1adeaabe430d78acbb6723da597b8b114416d676022b989d4 SHA512 fc58993b3dc86990194e03c7cc4554d83260b243913d77b3743fe1f9fd0d21985ee849c6b7f7fc158c48b75505e8e8a9adf090b9c7ba40e12b09b3c020e50afe
+AUX cryptography-2.1.4-libressl-2.7-x509_vfy.patch 3419 BLAKE2B 89642459484d42958aec818c4196eff35991ba415c76ee1f43c0765b1a9687c6b405f31322227eb132309439aa8d7ee5ed6df7ed07f640e4eea21c6e97fde858 SHA512 e941b89924d68b1d1dfe8e64a4f7ae363ccb53fd232a3853d9ddba0a7aed1dc27fb8d699e9197bdd7ff0b1780c1f12edd2edd4133f08e2f7f13348b170985a4c
+DIST cryptography-2.3.1.tar.gz 449577 BLAKE2B 66a94f68a6f5c14ff1e3316ea740bda8c34135bc4614a6a36880d4970d54cb72d69374555a6a89dd9a6794e35feed8fc4598ad071cce33b9515da1ada4c38d53 SHA512 384581238b5669dbf31fd1b1385ec2ff9c6d76e2b7612efb15f255e17a11a38474f84668e62ceaa39a146260f46cac743575c0a8ffedc1e40c7b2f90d7cb00b1
+EBUILD cryptography-2.3.1.ebuild 2162 BLAKE2B b7b99f45e7cae87e2f286e1edc07fd96d79bed983642e2f08500b89ca8f6102596b79a000d1de33316b3ae56e4fab1ebc632db974ba3f4c0a23637e8a53552f5 SHA512 5999a1de82114e5da46ab9bcea4de62e6552c1323e410fe1d829c1ab962153b3b14befc6a60fb6f748c03a4926a332e5e084bea67597503914f0e28283546cc2
--- a/dev-python/cryptography/cryptography-2.3.1.ebuild
+++ b/dev-python/cryptography/cryptography-2.3.1.ebuild
@@ -0,0 +1,67 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 python3_{4,5,6,7} pypy{,3} )
+PYTHON_REQ_USE="threads(+)"
+
+inherit distutils-r1 flag-o-matic
+
+DESCRIPTION="Library providing cryptographic recipes and primitives"
+HOMEPAGE="https://github.com/pyca/cryptography/ https://pypi.org/project/cryptography/"
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="|| ( Apache-2.0 BSD )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="libressl test"
+
+# the openssl 1.0.2l-r1 needs to be updated again :(
+# It'd theb be able to go into the || section again
+#=dev-libs/openssl-1.0.2l-r1:0
+# the following is the original section, disallowing bindist entirely
+#!libressl? ( >=dev-libs/openssl-1.0.2:0=[-bindist(-)] )
+RDEPEND="
+	!libressl? (
+		dev-libs/openssl:0= (
+			|| (
+				dev-libs/openssl:0[-bindist(-)]
+				>=dev-libs/openssl-1.0.2o-r6:0
+			)
+		)
+	)
+	libressl? ( dev-libs/libressl:0= )
+	$(python_gen_cond_dep 'dev-python/enum34[${PYTHON_USEDEP}]' python2_7 pypy{,3})
+	>=dev-python/idna-2.1[${PYTHON_USEDEP}]
+	>=dev-python/asn1crypto-0.21.0[${PYTHON_USEDEP}]
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	>=dev-python/six-1.4.1[${PYTHON_USEDEP}]
+	virtual/python-ipaddress[${PYTHON_USEDEP}]
+	"
+DEPEND="${RDEPEND}
+	>=dev-python/setuptools-1.0[${PYTHON_USEDEP}]
+	$(python_gen_cond_dep '>=dev-python/cffi-1.7:=[${PYTHON_USEDEP}]' 'python*')
+	$(python_gen_cond_dep '!~dev-python/cffi-1.11.3[${PYTHON_USEDEP}]' 'python*')
+	test? (
+		~dev-python/cryptography-vectors-${PV}[${PYTHON_USEDEP}]
+		dev-python/hypothesis[${PYTHON_USEDEP}]
+		dev-python/iso8601[${PYTHON_USEDEP}]
+		dev-python/pretend[${PYTHON_USEDEP}]
+		dev-python/pyasn1-modules[${PYTHON_USEDEP}]
+		>=dev-python/pytest-2.9.0[${PYTHON_USEDEP}]
+		dev-python/pytz[${PYTHON_USEDEP}]
+	)"
+
+DOCS=( AUTHORS.rst CONTRIBUTING.rst README.rst )
+
+PATCHES=(
+)
+
+python_configure_all() {
+	append-cflags $(test-flags-CC -pthread)
+}
+
+python_test() {
+	py.test -v -v -x || die "Tests fail with ${EPYTHON}"
+}
--- a/dev-python/cryptography/files/CVE-2018-10903.patch
+++ b/dev-python/cryptography/files/CVE-2018-10903.patch
@@ -0,0 +1,76 @@
+From 688e0f673bfbf43fa898994326c6877f00ab19ef Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Tue, 17 Jul 2018 10:47:57 +0800
+Subject: [PATCH] disallow implicit tag truncation with finalize_with_tag
+
+---
+ docs/hazmat/primitives/symmetric-encryption.rst     |  1 +
+ src/cryptography/hazmat/backends/openssl/ciphers.py |  5 +++++
+ src/cryptography/hazmat/primitives/ciphers/modes.py |  1 +
+ tests/hazmat/primitives/test_aes.py                 | 16 ++++++++++++++++
+ 5 files changed, 28 insertions(+)
+
+diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
+index 5ebcca754..5b6000902 100644
+--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
+@@ -670,6 +670,7 @@ Interfaces
+         :raises ValueError: This is raised when the data provided isn't
+             a multiple of the algorithm's block size, if ``min_tag_length`` is
+             less than 4, or if ``len(tag) < min_tag_length``.
+            ``min_tag_length`` is an argument to the ``GCM`` constructor.
+         :raises NotImplementedError: This is raised if the version of the
+             OpenSSL backend used is 1.0.1 or earlier.
+ 
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 462ffea25..e0ee06ee2 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -199,6 +199,11 @@ def finalize_with_tag(self, tag):
+                 "finalize_with_tag requires OpenSSL >= 1.0.2. To use this "
+                 "method please update OpenSSL"
+             )
+        if len(tag) < self._mode._min_tag_length:
+            raise ValueError(
+                "Authentication tag must be {0} bytes or longer.".format(
+                    self._mode._min_tag_length)
+            )
+         res = self._backend._lib.EVP_CIPHER_CTX_ctrl(
+             self._ctx, self._backend._lib.EVP_CTRL_AEAD_SET_TAG,
+             len(tag), tag
+diff --git a/src/cryptography/hazmat/primitives/ciphers/modes.py b/src/cryptography/hazmat/primitives/ciphers/modes.py
+index 598dfaa4a..543015fef 100644
+--- a/src/cryptography/hazmat/primitives/ciphers/modes.py
+++ b/src/cryptography/hazmat/primitives/ciphers/modes.py
+@@ -220,6 +220,7 @@ def __init__(self, initialization_vector, tag=None, min_tag_length=16):
+                         min_tag_length)
+                 )
+         self._tag = tag
+        self._min_tag_length = min_tag_length
+ 
+     tag = utils.read_only_property("_tag")
+     initialization_vector = utils.read_only_property("_initialization_vector")
+diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py
+index d6f83ebc2..4ceccf155 100644
+--- a/tests/hazmat/primitives/test_aes.py
+++ b/tests/hazmat/primitives/test_aes.py
+@@ -439,3 +439,19 @@ def test_gcm_tag_decrypt_finalize(self, backend):
+             decryptor.finalize()
+         else:
+             decryptor.finalize_with_tag(tag)
+
+    @pytest.mark.supported(
+        only_if=lambda backend: (
+            not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 or
+            backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
+        ),
+        skip_message="Not supported on OpenSSL 1.0.1",
+    )
+    def test_gcm_tag_decrypt_finalize_tag_length(self, backend):
+        decryptor = base.Cipher(
+            algorithms.AES(b"0" * 16),
+            modes.GCM(b"0" * 12),
+            backend=backend
+        ).decryptor()
+        with pytest.raises(ValueError):
+            decryptor.finalize_with_tag(b"tagtooshort")
--- a/dev-python/cryptography/files/cryptography-1.7.1-libressl251.patch
+++ b/dev-python/cryptography/files/cryptography-1.7.1-libressl251.patch
@@ -0,0 +1,17 @@
+diff -Naur cryptography-1.7.1.orig/src/_cffi_src/openssl/x509_vfy.py cryptography-1.7.1/src/_cffi_src/openssl/x509_vfy.py
+--- cryptography-1.7.1.orig/src/_cffi_src/openssl/x509_vfy.py	2017-02-01 12:29:59.080728417 -0800
+++ cryptography-1.7.1/src/_cffi_src/openssl/x509_vfy.py	2017-02-01 12:31:48.017895844 -0800
+@@ -221,10 +221,13 @@
+ static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
+ static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
+ static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
+#if !CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER || \
+    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2050100fL)
+ static const long X509_V_ERR_HOSTNAME_MISMATCH = 0;
+ static const long X509_V_ERR_EMAIL_MISMATCH = 0;
+ static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
+#endif
+ #endif
+ 
+ /* OpenSSL 1.0.2beta2+ verification parameters */
+ #if CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER && \
--- a/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509.patch
+++ b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509.patch
@@ -0,0 +1,23 @@
+diff -ur a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
+--- a/src/_cffi_src/openssl/x509.py	2017-07-27 05:11:29.000000000 +0200
+++ b/src/_cffi_src/openssl/x509.py	2018-03-23 10:28:00.387774214 +0100
+@@ -254,8 +254,7 @@
+ 
+ const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *);
+ 
+-/* in 1.1.0 becomes const ASN1_BIT_STRING, const X509_ALGOR */
+-void X509_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509 *);
+void X509_get0_signature(const ASN1_BIT_STRING **, const X509_ALGOR **, const X509 *);
+ 
+ long X509_get_version(X509 *);
+ 
+@@ -338,7 +337,8 @@
+ CUSTOMIZATIONS = """
+ /* Added in 1.0.2 beta but we need it in all versions now due to the great
+    opaquing. */
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && \
+    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ /* from x509/x_x509.c version 1.0.2 */
+ void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                          const X509 *x)
--- a/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509_vfy.patch
+++ b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509_vfy.patch
@@ -0,0 +1,73 @@
+$OpenBSD: patch-src__cffi_src_openssl_x509_vfy_py,v 1.7 2018/02/22 18:49:16 sthen Exp $
+
+--- a/src/_cffi_src/openssl/x509_vfy.py
+++ b/src/_cffi_src/openssl/x509_vfy.py
+@@ -204,7 +204,7 @@ int sk_X509_OBJECT_num(Cryptography_STACK_OF_X509_OBJE
+ X509_OBJECT *sk_X509_OBJECT_value(Cryptography_STACK_OF_X509_OBJECT *, int);
+ X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *);
+ Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *);
+-X509 *X509_OBJECT_get0_X509(X509_OBJECT *);
+X509 *X509_OBJECT_get0_X509(const X509_OBJECT *);
+ int X509_OBJECT_get_type(const X509_OBJECT *);
+ 
+ /* added in 1.1.0 */
+@@ -220,14 +220,11 @@ static const long Cryptography_HAS_102_VERIFICATION_ER
+ static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
+ #else
+ static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0;
+#if LIBRESSL_VERSION_NUMBER >= 0x2070000fL
+static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
+#else
+ static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0;
+ 
+-static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
+-static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
+-static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
+-static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
+-static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
+-static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
+ /* These 3 defines are unavailable in LibreSSL 2.5.x, but may be added
+    in the future... */
+ #ifndef X509_V_ERR_HOSTNAME_MISMATCH
+@@ -240,12 +237,6 @@ static const long X509_V_ERR_EMAIL_MISMATCH = 0;
+ static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
+ #endif
+ 
+-/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately
+-   below because it shows up in some earlier 3rd party OpenSSL packages. */
+-static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0;
+-static const long X509_V_FLAG_SUITEB_192_LOS = 0;
+-static const long X509_V_FLAG_SUITEB_128_LOS = 0;
+-
+ int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *,
+                                    size_t) = NULL;
+ int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *,
+@@ -257,6 +248,19 @@ void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PA
+                                         unsigned int) = NULL;
+ #endif
+ 
+static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
+static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
+static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
+static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
+/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately
+   below because it shows up in some earlier 3rd party OpenSSL packages. */
+static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0;
+static const long X509_V_FLAG_SUITEB_192_LOS = 0;
+static const long X509_V_FLAG_SUITEB_128_LOS = 0;
+#endif
+
+ /* OpenSSL 1.0.2+ or Solaris's backport */
+ #ifdef X509_V_FLAG_PARTIAL_CHAIN
+ static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1;
+@@ -292,7 +296,7 @@ X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+     return ctx->cert;
+ }
+ 
+-X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) {
+X509 *X509_OBJECT_get0_X509(const X509_OBJECT *x) {
+     return x->data.x509;
+ }
+ #endif